[edwintorok]

You probably only want to enable syn cookies when you are under heavy attack, but from the same article:

"I can trivially prevent any inbound client connections with 2 threads of syn flood. Enabling tcp_syncookies brings the connection handling back up to 725 fetches per second."

"This data compellingly supports the continued value of the syncookie and that position seems to have won the day."

Of course this refers to the Linux TCP/IP stack, the Mirage stack is completely different so it remains to be seen what measures will be effective against syn floods.